def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" %
(self.filename, msg))
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
f = io.open(self.filename, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start whitelist element
handler.startElement("whitelist", {})
handler.ignorableWhitespace("\n")
# commands
for command in uniqify(self.commands):
handler.ignorableWhitespace(" ")
handler.simpleElement("command", {"name": command})
handler.ignorableWhitespace("\n")
for uid in uniqify(self.uids):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", {"id": str(uid)})
handler.ignorableWhitespace("\n")
for user in uniqify(self.users):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", {"name": user})
handler.ignorableWhitespace("\n")
# for gid in uniqify(self.gids):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("user", { "id": str(gid) })
# handler.ignorableWhitespace("\n")
# for group in uniqify(self.groups):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("group", { "name": group })
# handler.ignorableWhitespace("\n")
for context in uniqify(self.contexts):
handler.ignorableWhitespace(" ")
handler.simpleElement("selinux", {"context": context})
handler.ignorableWhitespace("\n")
# end whitelist element
handler.endElement("whitelist")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def policy_writer(policy, path=None):
_path = path if path else policy.path
if policy.filename:
name = "%s/%s" % (_path, policy.filename)
else:
name = "%s/%s.xml" % (_path, policy.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start policy element
attrs = {}
if policy.version and policy.version != "":
attrs["version"] = policy.version
if policy.priority != policy.priority_default:
attrs["priority"] = str(policy.priority)
attrs["target"] = policy.target
handler.startElement("policy", attrs)
handler.ignorableWhitespace("\n")
common_writer(policy, handler)
# ingress-zones
for zone in uniqify(policy.ingress_zones):
handler.ignorableWhitespace(" ")
handler.simpleElement("ingress-zone", {"name": zone})
handler.ignorableWhitespace("\n")
# egress-zones
for zone in uniqify(policy.egress_zones):
handler.ignorableWhitespace(" ")
handler.simpleElement("egress-zone", {"name": zone})
handler.ignorableWhitespace("\n")
# end policy element
handler.endElement("policy")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
f = io.open(self.filename, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start whitelist element
handler.startElement("whitelist", { })
handler.ignorableWhitespace("\n")
# commands
for command in uniqify(self.commands):
handler.ignorableWhitespace(" ")
handler.simpleElement("command", { "name": command })
handler.ignorableWhitespace("\n")
for uid in uniqify(self.uids):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", { "id": str(uid) })
handler.ignorableWhitespace("\n")
for user in uniqify(self.users):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", { "name": user })
handler.ignorableWhitespace("\n")
# for gid in uniqify(self.gids):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("user", { "id": str(gid) })
# handler.ignorableWhitespace("\n")
# for group in uniqify(self.groups):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("group", { "name": group })
# handler.ignorableWhitespace("\n")
for context in uniqify(self.contexts):
handler.ignorableWhitespace(" ")
handler.simpleElement("selinux", { "context": context })
handler.ignorableWhitespace("\n")
# end whitelist element
handler.endElement("whitelist")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
class LockdownWhitelist(IO_Object):
""" LockdownWhitelist class """
IMPORT_EXPORT_STRUCTURE = (
( "commands", [ "" ] ), # as
( "contexts", [ "" ] ), # as
( "users", [ "" ] ), # as
( "uids", [ 0 ] ) # ai
)
DBUS_SIGNATURE = '(asasasai)'
ADDITIONAL_ALNUM_CHARS = [ "_" ]
PARSER_REQUIRED_ELEMENT_ATTRS = {
"whitelist": None,
"command": [ "name" ],
"user": None,
# "group": None,
"selinux": [ "context" ],
}
PARSER_OPTIONAL_ELEMENT_ATTRS = {
"user": [ "id", "name" ],
# "group": [ "id", "name" ],
}
def __init__(self, filename):
super(LockdownWhitelist, self).__init__()
self.filename = filename
self.clear()
def _check_config(self, config, item):
pass
def clear(self):
self.commands = [ ]
self.contexts = [ ]
self.users = [ ]
self.uids = [ ]
# self.groups = [ ]
# commands
def add_command(self, command):
if command not in self.commands:
self.commands.append(command)
def remove_command(self, command):
if command in self.commands:
self.commands.remove(command)
else:
raise FirewallError(NOT_ENABLED,
'Command "%s" not in whitelist.' % command)
def has_command(self, command):
return (command in self.commands)
def match_command(self, command):
for _command in self.commands:
if _command.endswith("*"):
if command.startswith(_command[:-1]):
return True
else:
if _command == command:
return True
return False
def get_commands(self):
return sorted(self.commands)
# user ids
def add_uid(self, uid):
if uid not in self.uids:
self.uids.append(uid)
def remove_uid(self, uid):
if uid in self.uids:
self.uids.remove(uid)
else:
raise FirewallError(NOT_ENABLED,
'Uid "%s" not in whitelist.' % uid)
def has_uid(self, uid):
return (uid in self.uids)
def match_uid(self, uid):
return (uid in self.uids)
def get_uids(self):
return sorted(self.uids)
# users
def add_user(self, user):
if user not in self.users:
self.users.append(user)
def remove_user(self, user):
if user in self.users:
self.users.remove(user)
else:
raise FirewallError(NOT_ENABLED,
'User "%s" not in whitelist.' % user)
def has_user(self, user):
return (user in self.users)
def match_user(self, user):
return (user in self.users)
def get_users(self):
return sorted(self.users)
# # group ids
#
# def add_gid(self, gid):
# if gid not in self.gids:
# self.gids.append(gid)
#
# def remove_gid(self, gid):
# if gid in self.gids:
# self.gids.remove(gid)
# else:
# raise FirewallError(NOT_ENABLED,
# 'Gid "%s" not in whitelist.' % gid)
#
# def has_gid(self, gid):
# return (gid in self.gids)
#
# def match_gid(self, gid):
# return (gid in self.gids)
#
# def get_gids(self):
# return sorted(self.gids)
# # groups
#
# def add_group(self, group):
# if group not in self.groups:
# self.groups.append(group)
#
# def remove_group(self, group):
# if group in self.groups:
# self.groups.remove(group)
# else:
# raise FirewallError(NOT_ENABLED,
# 'Group "%s" not in whitelist.' % group)
#
# def has_group(self, group):
# return (group in self.groups)
#
# def match_group(self, group):
# return (group in self.groups)
#
# def get_groups(self):
# return sorted(self.groups)
# selinux contexts
def add_context(self, context):
if context not in self.contexts:
self.contexts.append(context)
def remove_context(self, context):
if context in self.contexts:
self.contexts.remove(context)
else:
raise FirewallError(NOT_ENABLED,
'Context "%s" not in whitelist.' % context)
def has_context(self, context):
return (context in self.contexts)
def match_context(self, context):
return (context in self.contexts)
def get_contexts(self):
return sorted(self.contexts)
# read and write
def read(self):
self.clear()
if not self.filename.endswith(".xml"):
raise FirewallError(INVALID_NAME, self.filename)
handler = lockdown_whitelist_ContentHandler(self)
parser = sax.make_parser()
parser.setContentHandler(handler)
parser.parse(self.filename)
def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception, msg:
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
fd = open(self.filename, "w")
handler = IO_Object_XMLGenerator(fd)
handler.startDocument()
# start whitelist element
handler.startElement("whitelist", { })
handler.ignorableWhitespace("\n")
# commands
for command in uniqify(self.commands):
handler.ignorableWhitespace(" ")
handler.simpleElement("command", { "name": command })
handler.ignorableWhitespace("\n")
for uid in uniqify(self.uids):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", { "id": str(uid) })
handler.ignorableWhitespace("\n")
for user in uniqify(self.users):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", { "name": user })
handler.ignorableWhitespace("\n")
# for gid in uniqify(self.gids):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("user", { "id": str(gid) })
# handler.ignorableWhitespace("\n")
# for group in uniqify(self.groups):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("group", { "name": group })
# handler.ignorableWhitespace("\n")
for context in uniqify(self.contexts):
handler.ignorableWhitespace(" ")
handler.simpleElement("selinux", { "context": context })
handler.ignorableWhitespace("\n")
# end whitelist element
handler.endElement("whitelist")
handler.ignorableWhitespace("\n")
handler.endDocument()
fd.close()
def common_writer(obj, handler):
# short
if obj.short and obj.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(obj.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if obj.description and obj.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(obj.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# services
for service in uniqify(obj.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", {"name": service})
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(obj.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", {"port": port[0], "protocol": port[1]})
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(obj.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", {"value": protocol})
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(obj.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", {"name": icmp})
handler.ignorableWhitespace("\n")
# masquerade
if obj.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", {})
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(obj.forward_ports):
handler.ignorableWhitespace(" ")
attrs = {"port": forward[0], "protocol": forward[1]}
if forward[2] and forward[2] != "":
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "":
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# source-ports
for port in uniqify(obj.source_ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", {
"port": port[0],
"protocol": port[1]
})
handler.ignorableWhitespace("\n")
# rules
for rule in obj.rules:
attrs = {}
if rule.family:
attrs["family"] = rule.family
if rule.priority != 0:
attrs["priority"] = str(rule.priority)
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = {}
if rule.source.addr:
attrs["address"] = rule.source.addr
if rule.source.mac:
attrs["mac"] = rule.source.mac
if rule.source.ipset:
attrs["ipset"] = rule.source.ipset
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = {}
if rule.destination.addr:
attrs["address"] = rule.destination.addr
if rule.destination.ipset:
attrs["ipset"] = rule.destination.ipset
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = {}
if type(rule.element) == rich.Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == rich.Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Tcp_Mss_Clamp:
element = "tcp-mss-clamp"
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == rich.Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_IcmpType:
element = "icmp-type"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
elif type(rule.element) == rich.Rich_SourcePort:
element = "source-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
else:
raise FirewallError(
errors.INVALID_OBJECT,
"Unknown element '%s' in obj_writer" % type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
if type(rule.log) == rich.Rich_Log:
attrs = {}
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.log.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
else:
attrs = {}
if rule.log.group:
attrs["group"] = rule.log.group
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.threshold:
attrs["queue-size"] = rule.log.threshold
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("nflog", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.log.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("nflog")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("nflog", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", {})
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.audit.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = {}
if type(rule.action) == rich.Rich_Accept:
action = "accept"
elif type(rule.action) == rich.Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == rich.Rich_Drop:
action = "drop"
elif type(rule.action) == rich.Rich_Mark:
action = "mark"
attrs["set"] = rule.action.set
else:
log.warning("Unknown action '%s'", type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.action.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
# short
if zone.short and zone.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", {"ipset": source[6:]})
else:
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", {"name": service})
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(zone.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", {"port": port[0], "protocol": port[1]})
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(zone.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", {"value": protocol})
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", {})
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(zone.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", {"name": icmp})
handler.ignorableWhitespace("\n")
# masquerade
if zone.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", {})
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(zone.forward_ports):
handler.ignorableWhitespace(" ")
attrs = {"port": forward[0], "protocol": forward[1]}
if forward[2] and forward[2] != "":
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "":
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# source-ports
for port in uniqify(zone.source_ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", {
"port": port[0],
"protocol": port[1]
})
handler.ignorableWhitespace("\n")
# rules
for rule in zone.rules:
attrs = {}
if rule.family:
attrs["family"] = rule.family
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = {}
if rule.source.addr:
attrs["address"] = rule.source.addr
if rule.source.mac:
attrs["mac"] = rule.source.mac
if rule.source.ipset:
attrs["ipset"] = rule.source.ipset
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = {"address": rule.destination.addr}
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = {}
if type(rule.element) == rich.Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == rich.Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == rich.Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_IcmpType:
element = "icmp-type"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
elif type(rule.element) == rich.Rich_SourcePort:
element = "source-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
else:
raise FirewallError(
errors.INVALID_OBJECT,
"Unknown element '%s' in zone_writer" % type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = {}
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit", {"value": rule.log.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", {})
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.audit.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = {}
if type(rule.action) == rich.Rich_Accept:
action = "accept"
elif type(rule.action) == rich.Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == rich.Rich_Drop:
action = "drop"
elif type(rule.action) == rich.Rich_Mark:
action = "mark"
attrs["set"] = rule.action.set
else:
log.warning("Unknown action '%s'", type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.action.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" % (name, msg))
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
# short
if zone.short and zone.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", { "name": interface })
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
handler.simpleElement("source", { "address": source })
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", { "name": service })
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(zone.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(zone.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", { "value": protocol })
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(zone.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", { "name": icmp })
handler.ignorableWhitespace("\n")
# masquerade
if zone.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", { })
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(zone.forward_ports):
handler.ignorableWhitespace(" ")
attrs = { "port": forward[0], "protocol": forward[1] }
if forward[2] and forward[2] != "" :
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "" :
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# rules
for rule in zone.rules:
attrs = { }
if rule.family:
attrs["family"] = rule.family
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = { "address": rule.source.addr }
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = { "address": rule.destination.addr }
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = { }
if type(rule.element) == Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
else:
log.error('Unknown element "%s"' % type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = { }
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.log.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", { })
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.audit.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = { }
if type(rule.action) == Rich_Accept:
action = "accept"
elif type(rule.action) == Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == Rich_Drop:
action = "drop"
else:
log.error('Unknown action "%s"' % type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.action.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
else zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(zone.description.decode('utf-8')
if isinstance(zone.description, bytes)
else zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", { "name": interface })
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
handler.simpleElement("source", { "address": source })
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", { "name": service })
handler.ignorableWhitespace("\n")
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
common_writer(zone, handler)
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", {"ipset": source[6:]})
else:
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", {})
handler.ignorableWhitespace("\n")
# forward
if zone.forward:
handler.ignorableWhitespace(" ")
handler.simpleElement("forward", {})
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
) else zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(
zone.description.decode('utf-8') if isinstance(
zone.description, bytes) else zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", {"name": service})
handler.ignorableWhitespace("\n")
